Secure communication systems provide many different categories of users with the capability to exchange sensitive information with little risk of eavesdropping. Because of the complex nature of modern encryption schemes, encrypted communication signals sound like noise to any listener not equipped with a proper decryption device. Long digital sequences called keys are used to encrypt information signals, and proper decryption cannot occur unless the listener is equipped with a decryption device of the same type as that used to encrypt the signals, and containing the same key as that used by the encryption device.
Because of the need for an adversary to learn encryption keys in order to seriously threaten system intergrity, the keys themselves and the way they are managed may be considered the weak link in any secure system. Conscientious system managers change keys in all communication units throughout the system on a regular basis (perhaps as frequently as weekly) in order to forestall possible system compromise. Even though the regular rekeying procedure may be time consuming, there is no particular pressure of time in this rekeying scenario.
Having just one secure communication unit within a system fall into the hands of an adversary, however, creates a greater need for urgency. Secure communication units that are constantly exposed to the hazard of theft (those used by police agencies, for example) do occasionally end up in the wrong hands.
When in the possession of a skilled adversary, it is always possible that a stolen communication unit may be analyzed, despite built-in safeguards, to discover information about encryption keys in use and about the structure of the key management system itself. When theft of a particular unit is discovered, it is imperative that the keys in the stolen unit not be used for encryption from that point forward. Because of the group structures often employed in large systems (designed, for example, to permit tactical units to communicate with investigative units within law enforcement agencies) numerous units may have to be rekeyed in order to allow full communication capability to be restored. In addition, if an adversary were to obtain more than one communication unit, an examination of the keys stored in the unit might reveal important group relationships.
According, a need arises for a method for rekeying a large number of communication units in the field in the shortest possible time, while allowing rapid reorganization of the key assignment plan.